ISO 13849–1 Analysis — Part 5: Diagnostic Coverage (DC)

A graph showing the theoretical "bathtub curve" for product failure rate over the lifetime of the product.
This entry is part 5 of 9 in the series How to do a 13849–1 analy­sis

What is Diagnostic Coverage?

Under­stand­ing Diag­nos­tic Cov­er­age (DC) as it is used in ISO 13849–1 [1] is crit­i­cal to analysing the design of any safe­ty func­tion assessed using this stan­dard. In case you missed a pre­vi­ous part of the series, you can read it here.

In the last instal­ment of this series dis­cussing MTTFD, I brought up the fact that every­thing fails even­tu­al­ly, and so every­thing has a nat­ur­al fail­ure rate. The bath­tub curve shown at the top of this post shows a typ­i­cal fail­ure rate curve for most prod­ucts. Fail­ure rates tell you the aver­age time (or some­times the mean time) it takes for com­po­nents or sys­tems to fail. Fail­ure rates are expressed in many ways, MTTFD and PFHd being the ways rel­e­vant to this dis­cus­sion of ISO 13849 analy­sis. MTTFis giv­en in years, and PFHd is giv­en in frac­tion­al hours (1/h). As a reminder, PFHd stands for “Prob­a­bil­i­ty of dan­ger­ous Fail­ure per Hour”.

Three of the stan­dard archi­tec­tures include auto­mat­ic diag­nos­tic func­tions, Cat­e­gories 2, 3 and 4. As soon as we add diag­nos­tics to the sys­tem, we need to know what faults the diag­nos­tics can detect and how many of the dan­ger­ous fail­ures rel­a­tive to the total num­ber of fail­ures that rep­re­sents. Diag­nos­tic Cov­er­age (DC) rep­re­sents the ratio of dan­ger­ous fail­ures that can be detect­ed to the total dan­ger­ous fail­ures that could occur, expressed as a per­cent­age. There will be some fail­ures that do not result in a dan­ger­ous fail­ure, and those fail­ures are exclud­ed from DC because we don’t need to wor­ry about them — if they occur, the sys­tem will not fail into a dan­ger­ous state.

Here’s the for­mal def­i­n­i­tion from [1]:

3.1.26 diag­nos­tic cov­er­age (DC)

mea­sure of the effec­tive­ness of diag­nos­tics, which may be deter­mined as the ratio between the fail­ure rate of detect­ed dan­ger­ous fail­ures and the fail­ure rate of total dan­ger­ous fail­ures

Note 1 to entry: Diag­nos­tic cov­er­age can exist for the whole or parts of a safe­ty-relat­ed sys­tem. For exam­ple, diag­nos­tic cov­er­age could exist for sen­sors and/or log­ic sys­tem and/or final ele­ments. [SOURCE: IEC 61508–4:1998, 3.8.6, mod­i­fied.]

That brings up two oth­er relat­ed def­i­n­i­tions that need to be kept in mind [1]:

3.1.4 fail­ure

ter­mi­na­tion of the abil­i­ty of an item to per­form a required func­tion

Note 1 to entry: After a fail­ure, the item has a fault.

Note 2 to entry: “Fail­ure” is an event, as dis­tin­guished from “fault”, which is a state.

Note 3 to entry: The con­cept as defined does not apply to items con­sist­ing of soft­ware only.

Note 4 to entry: Fail­ures which only affect the avail­abil­i­ty of the process under con­trol are out­side of the scope of this part of ISO 13849. [SOURCE: IEC 60050–191:1990, 04–01.]

and the most impor­tant one [1]:

3.1.5 dan­ger­ous fail­ure

fail­ure which has the poten­tial to put the SRP/CS in a haz­ardous or fail-to-func­tion state

Note 1 to entry: Whether or not the poten­tial is real­ized can depend on the chan­nel archi­tec­ture of the sys­tem; in redun­dant sys­tems a dan­ger­ous hard­ware fail­ure is less like­ly to lead to the over­all dan­ger­ous or fail-to- func­tion state.

Note 2 to entry: [SOURCE: IEC 61508–4, 3.6.7, mod­i­fied.]

Just as a reminder, SRP/CS stands for “safe­ty-relat­ed parts of con­trol sys­tems”.

Failure Math

Failure Rate Data Sources

To do any cal­cu­la­tions, we need data, and this is true for fail­ure rates as well. ISO 13849–1 pro­vides some tables in the annex­es that list some com­mon types of com­po­nents and their asso­ci­at­ed fail­ure rates, and there are more fail­ure rate tables in ISO 13849–2. A word of cau­tion here: Do not mix sources of fail­ure rate data, as the con­di­tions under which that data is true won’t match the data in ISO 13849. There are a few good sources of fail­ure rate data out there, for exam­ple, MIL-HDBK-217, Reli­a­bil­i­ty Pre­dic­tion of Elec­tron­ic Equip­ment [15], as well as the data­base main­tained by Exi­da. In any case, use a sin­gle source for your fail­ure rate data.

Failure Rate Variables

IEC 61508 [7] defines a num­ber of vari­ables relat­ed to fail­ure rates. The low­er­case Greek let­ter lamb­da, \lambda, is used to denote fail­ures.

The com­mon vari­able des­ig­na­tions used are:

\lambda = fail­ures
\lambda_{(t)} = fail­ure rate
\lambda_s = “safe” fail­ures
\lambda_d = “dan­ger­ous” fail­ures
\lambda_{dd} = detectable “dan­ger­ous” fail­ures
\lambda_{du} = unde­tectable “dan­ger­ous” fail­ures

Calculating DC

Of these vari­ables, we only need to con­cern our­selves with \lambda_d, \lambda_{dd} and \lambda_{du}. To under­stand how these vari­ables are used, we can express their rela­tion­ship as


Fol­low­ing on that idea, the Diag­nos­tic Cov­er­age can be expressed as a per­cent­age like this:

DC\%=\frac{\lambda_{dd}}{\lambda_d}\times 100

Determining DC%

If you want to actu­al­ly cal­cu­late DC%, you have some work ahead of you. Rather than going into the details here, I am going to refer you hard­core types to IEC 61508–2, Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems — Part 2: Require­ments for electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems. This stan­dard goes into some depth on how to deter­mine fail­ure rates and how to cal­cu­late the “Safe Fail­ure Frac­tion,” a num­ber which is relat­ed to DC but is not the same.

For every­one else, the good news is that you can use the table in Annex E to esti­mate the DC%. It’s worth not­ing here that Annex E is “Infor­ma­tive.” In stan­dards-speak, this means that the infor­ma­tion in the annex is not part of the “nor­ma­tive” text, which means that it is sim­ply infor­ma­tion to help you use the nor­ma­tive part of the stan­dard. The design must con­form to the require­ments in the nor­ma­tive text if you want to claim con­for­mi­ty to the stan­dard. The fact that [1, Annex E] is infor­ma­tive gives you the option to cal­cu­late the DC% val­ue rather than select­ing it from Table E.1. Using the cal­cu­lat­ed val­ue would not vio­late the require­ments in the nor­ma­tive text.

If you are using IFA SISTEMA [16] to do the cal­cu­la­tions for you, you will find that the soft­ware lim­its you to select­ing a sin­gle DC mea­sure from Table E.1, and this prin­ci­ple applies if you are doing the cal­cu­la­tions by hand too. Only one item from Table E.1 can be select­ed for a giv­en safe­ty func­tion.

Ranking DC

Once you have deter­mined the DC for a safe­ty func­tion, you need to com­pare the DC val­ue against [1, Table 5] to see if the DC is suf­fi­cient for the PLr you are try­ing to achieve. Table 5 bins the DC results into four ranges. Just like bin­ning the PFHd val­ues into five ranges helps to pre­vent pre­ci­sion bias in esti­mat­ing the prob­a­bil­i­ty of fail­ure of the com­plete sys­tem or safe­ty func­tion, the ranges in Table 5 helps to pre­vent pre­ci­sion bias in the cal­cu­lat­ed or select­ed DC val­ues.

ISO 13849-1, Table 5 Diagnostic coverage (DC)
ISO 13849–1, Table 5 Diag­nos­tic cov­er­age (DC)

If the DC val­ue was high enough for the PLr, then you are done with this part of the work. If not, you will need to go back to your design and add addi­tion­al diag­nos­tic fea­tures so that you can either select a high­er cov­er­age from [1, Table E.1] or cal­cu­late a high­er val­ue using [14].

Multiple safety functions

When you have mul­ti­ple safe­ty func­tions that make up a com­plete safe­ty sys­tem, for exam­ple, an emer­gency stop func­tion and a guard inter­lock­ing func­tion, the DC val­ues need to be aver­aged to deter­mine the over­all DC for the com­plete sys­tem. [1, Annex E] pro­vides you with a method to do this in Equa­tion E.1.

Equation for averaging the DC values of multiple safety functions
ISO 13849–1-2015 Equa­tion E.1

Plug in the val­ues for MTTFD and DC for each safe­ty func­tion, and cal­cu­late the result­ing DCavg val­ue for the com­plete sys­tem.

That’s it for this arti­cle. The next part will cov­er Com­mon Cause Fail­ures (CCF). Look for it on 20-Mar-17!

In case you missed the first part of the series, you can read it here.

Book List

Here are some books that I think you may find help­ful on this jour­ney:

[0]     B. Main, Risk Assess­ment: Basics and Bench­marks, 1st ed. Ann Arbor, MI USA: DSE, 2004.

[0.1]  D. Smith and K. Simp­son, Safe­ty crit­i­cal sys­tems hand­book, 3rd Ed. Ams­ter­dam: Else­vier/But­ter­worth-Heine­mann, 2011.

[0.2]  Elec­tro­mag­net­ic Com­pat­i­bil­i­ty for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: The Insti­tu­tion of Engi­neer­ing and Tech­nol­o­gy, 2008.

[0.3]  Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 1st ed. Steve­nage, UK: Overview of tech­niques and mea­sures relat­ed to EMC for Func­tion­al Safe­ty, 2013.


Note: This ref­er­ence list starts in Part 1 of the series, so “miss­ing” ref­er­ences may show in oth­er parts of the series. Includ­ed in the last post of the series is the com­plete ref­er­ence list.

[1]     Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design. 3rd Edi­tion. ISO Stan­dard 13849–1. 2015.

[7]     Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems. 7 parts. IEC Stan­dard 61508. Edi­tion 2. 2010.

[14]   Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems — Part 2: Require­ments for electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems. IEC Stan­dard 61508–2. 2010.

[15]     Reli­a­bil­i­ty Pre­dic­tion of Elec­tron­ic Equip­ment. Mil­i­tary Hand­book MIL-HDBK-217F. 1991.

[16]     “IFA — Prac­ti­cal aids: Soft­ware-Assis­tent SISTEMA: Safe­ty Integri­ty — Soft­ware Tool for the Eval­u­a­tion of Machine Appli­ca­tions”,, 2017. [Online]. Avail­able: [Accessed: 30- Jan- 2017].

Digiprove sealCopy­right secured by Digiprove © 2017
Acknowl­edge­ments: IEC and ISO as cit­ed
Some Rights Reserved
Series Nav­i­ga­tionISO 13849–1 Analy­sis — Part 4: MTTFD — Mean Time to Dan­ger­ous Fail­ure”>ISO 13849–1 Analy­sis — Part 4: MTTFD — Mean Time to Dan­ger­ous Fail­ureISO 13849–1 Analy­sis — Part 6: CCF — Com­mon Cause Fail­ures”>ISO 13849–1 Analy­sis — Part 6: CCF — Com­mon Cause Fail­ures

Author: Doug Nix

Doug Nix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. ( in Kitchener, Ontario, and is Lead Author and Senior Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. For more see Doug's LinkedIn profile.